Schneider Electric Fixes Vulnerability in Control Valve Positioners

A vulnerability has been found in the Device Type Manager (DTM) component used by Schneider Electric in some of the company’s Invensys SRD Control Valve Positioners.

Advisories published by Schneider Electric and ICS-CERT show that the security hole affects version 3.1.6 and prior of the DTM used in SRD 960 and SRD 991 Control Valve Positioners.

The SRD Control Valve Positioners are used to operate pneumatic valve actuators. Schneider Electric’s solutions are deployed all across the world in sectors such as energy, water and wastewater, and critical manufacturing.

The vulnerability is a stack buffer overflow condition (CVE-2014-9206) in one of the software package’s DLL files. An attacker can exploit the vulnerability for arbitrary code execution, the energy management company explained in its advisory.

A CVSS base score of 5.2 has been assigned to the bug.

The good news for industrial control system (ICS) operators is that the vulnerability cannot be exploited remotely. Furthermore, the attacker needs to trick a local user into loading a malicious DLL file into the vulnerable application.

“Crafting a working exploit for this vulnerability would be difficult. Social engineering is required to convince the user to accept the malformed DLL file. Additional user interaction is needed to load the malformed file. This decreases the likelihood of a successful exploit,” ICS-CERT noted.

There is no evidence that an exploit for this vulnerability exists, ICS-CERT said. The flaw has been addressed in version 3.6.3 of the DTM.

The issue was discovered and reported by Argentina-based researcher Ivan Sanchez from Nullcode Team.

CVE-2014-9206 is not the only arbitrary code execution vulnerability fixed by Schneider Electric this year. In January, the company released patches to address a similar DLL flaw in the DTM software used for SoMove, SoMove Lite, Unity Pro and SoMachine solutions.

Vulnerable DTM components pose a serious threat to ICS. Last year, Alexander Bolshev and Gleb Cherbov, researchers at Russia-based Digital Security, reported identifying tens of vulnerable DTM components from two dozen vendors. Bolshev told SecurityWeek earlier this month that they had notified most of the affected vendors, but since they didn’t get too many replies, they have been trying to get through to the companies via ICS-CERT.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.